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A SHORTENED STATUTORY PERIOD FOR REPLY IS SET TO EXPIRE 3 MONTH(S) OR THIRTY (30) DAYS. 
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DETAILED ACTION 

This action is in response to the papers filed 9/24/2007. Claims 1-20 were 
received for consideration. 

Response to arguments 

In response to applicant's argument that there is no suggestion to combine the 
references, the examiner recognizes that obviousness can only be established by 
combining or modifying the teachings of the prior art to produce the claimed invention 
where there is some teaching, suggestion, or motivation to do so found either in the 
references themselves or in the knowledge generally available to one of ordinary skill in 
the art. See In re Fine, 837 F.2d 1071 , 5 USPQ2d 1596 (Fed. Cir. 1988)and In re 
Jones, 958 F.2d 347, 21 USPQ2d 1941 (Fed. Cir. 1992). In this case both Soles and " 
Todd both have to do with a security assessment for assessing vulnerability. See Soles 
column 2 lines 4-7 and 38-52 and Todd column 2 line 63 - column 4 line 4. Todd 
teaches that his method of providing a security assessment for a particular host 
provides the advantage of allowing the detection of vulnerability to denial of service 
attacks (Column 3, lines 63 - Column 4, lines 5) and have included a time period to fix 
security vulnerabilities (Column 7 lines 1-13). It would have been obvious to one of 
ordinary skill in the art to use the additional security assessment of Todd for scanning a 
host because it would allow the ascertaining of the vulnerability level of the host to 
denial of service attacks to increase the security testing of the Soles system. 
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Applicant's arguments with respect to claims 1,12, 23, and 25 that Soles fails to 
teach security vulnerability have been fully considered but they are not persuasive. 
Soles and Todd both disclose security vulnerabilities. Soles teach that the system of 
evaluating the performance of a computer includes security vulnerabilities at column 2 
lines 1-11 and column 8 line 63 - column 9 line 1 3. Todd also teaches a method of 
providing a security assessment for a particular host the security vulnerabilities at 
column 3 line 63 - column 4 line 4. 

Claim Rejections - 35 USC § 103 

The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 

obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed 
or described as set forth in section 1 02 of this title, if the differences between the 
subject matter sought to be patented and the prior art are such that the subject 
matter as a whole would have been obvious at the time the invention was made 
to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was 
made. 

Claims 1-26 are rejected under 35 U.S.C. 103(a) as being unpatentable over 
Soles et al. (US patent 6782421) and Todd Sr et al. (US patent 6185689). 

With respect to claim 1 , 12, 23 and 25, Soles teaches the method for providing 
automated tracking of security vulnerabilities, comprising: using a computer device to 
perform a security vulnerability assessment on a system (Column 2, lines 4-7, 37-67, 
Column 8, lines 55 - column 9 line 13); storing data obtained from the security 
vulnerability assessment in a security vulnerabilities database (Column 4, lines 47-64); 
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determining using a computer, a security vulnerability score based on a plurality of 
vulnerability factors identified by the vulnerability assessment (Column 5, lines 50-67 
and column 6, lines 5-65). Soles fails to explicitly disclose determining a time to fix a 
security vulnerability identified by the security vulnerability assessment of the system 
based on the determined security vulnerability score. Todd discloses a method of 
assessing a particular host for security vulnerabilities in which he teaches determining a 
time to fix a security vulnerability identified by the security vulnerability assessment of 
the system based on the determined security vulnerability score (Column 7, lines 1-7). 
Todd teaches that his method of providing a security assessment for a particular host 
provides the advantage of allowing the detection of vulnerability to denial of service 
attacks (Column 3, lines 63 - Column 4, lines 5). It would have been obvious to one of 
ordinary skill in the art to use the additional security assessment of Todd for scanning a 
host because it would allow the ascertaining of the vulnerability level of the host to 
denial of service attacks. 

With respect to claim 2 and 13, wherein determining the security vulnerability 
factor further comprises considering the frequency the identified security vulnerability 
occurs in the system (Figure 16, Column 7, lines 8-50 and Column 9, lines 35-45 i.e. the 
frequency of the identified vulnerability may gauged in monthly or other cycles) 

With respect to claim 3 and 14, wherein determining the security vulnerability 
factor further comprises the criticality of an element in the system presenting the 
security vulnerability and a rating of the severity of the security vulnerability (Figures 17- 
20 23, Column 9, lines 45 - Column 10, line 17 i.e. the criticality of an element in the 
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system is the business risk associated with the vulnerability and how much of a threat it 
has to impacting users) 

With respect to claim 4 and 15, Todd discloses the method of claim 1 further 
comprising determining an IP address associated with the security vulnerability (See 
Todd Column 5, lines 65-Column 6, lines 5 Column 4, line 55-65 and Column 8, line 5- 
20) 

With respect to claim 5 and 16, Todd discloses the method of claim 4 further 
comprising entering the IP address and a description of the identified security 
vulnerability in a tracking database. (Column 7, line 55 - Column 8, line 66, Column 7, 
lines 18-25 and Column 5, lines 5-20) ' 

With respect to claim 6 and 17, Soles et al. discloses the method of claim 1 
further comprising determining delinquent security vulnerabilities based upon the 
determined time to fix the vulnerability identified by the security vulnerability assessment. 
(Column 7, lines 1-7 i.e. if the vulnerability is not fixed within a month, the service grade 
will drop). 

With respect to claim 7 and 18, Soles et al. discloses the method of claim 6 
further comprising providing notification of determined delinquencies (Column 7, lines 1- 

7). 

With respect to claim 8 and 19, Todd Sr. et al. discloses the method of claim 6 
further comprising re-running a scan profile when notification is received that the 
security vulnerability has been fixed (Column 7, lines 45-56). 



Application/Control Number: 1 0/759,241 Page 6 

Art Unit: 2132 

With respect to claim 9 and 20, Todd Sr. et al. discloses the method of claim 8 
further comprising determining whether the security vulnerability still exists and 
archiving records associated with the security vulnerability when the security 
vulnerability does not exist (Column 7, lines 45-56 where the determination if the 
vulnerability still exists would be made by rescanning the system, and results would be 
archived to a in hypertext report) 

With respect to claim 10, 21, 24 and 26, Soles et al. discloses a method for 
determining a criticality factor for a security vulnerability in a computer system, 
comprising: Entering in a database security vulnerabilities identified during a security 
vulnerability assessment (Column 4, lines 47-64 the data drawn from the evaluation is 
stored in a database as an a metrics history). Monitoring a frequency of occurrence for 
the identified security vulnerabilities. (Column 9, lines 35-45) & (Figure 16). Assigning a 
security vulnerability factor to a security vulnerability based upon the frequency of 
occurrence of the security vulnerability in the system (Figures 17-20 23, and Column 9, 
lines 45 - Column 10, line 17) 

With respect to claim 1 1 and 22, Soles et al. discloses the method of claim 10, 
wherein the assigning a vulnerability factor further comprises considering a criticality of 
an element in the system presenting the vulnerability and a rating of the severity of the 
vulnerability within the system (Figures 17-20 23 and Column 9, lines 45 - Column 10, 
line 17 the criticality of an element in the system is the business risk associated with the 
vulnerability and how much of a threat it has to impacting users). 
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Conclusion 

THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time 
policy as set forth in 37 CFR 1 . 1 36(a). 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within 
TWO MONTHS of the mailing date of this final action and the advisory action is not 
mailed until after the end of the THREE-MONTH shortened statutory period, then the 
shortened statutory period will expire on the date the advisory action is mailed, and any 
extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of 
the advisory action. In no event, however, will the statutory period for reply expire later 
than SIX MONTHS from the mailing date of this final action. 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Devin Almeida whose telephone number is 571-270- 
1018. The examiner can normally be reached on Monday-Thursday from 7:30 A.M. to 
5:00 P.M. The examiner can also be reached on alternate Fridays from 7:30 A.M. to 
4:00 P.M. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Gilberto Barron, can be reached on 571-272-3799. The fax phone number 
for the organization where this application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
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published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). 
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Patent Examiner 
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